I'm investigating Certicom's API because they are "free" with the Blackberry implementations, and have come to realize that I have several alternatives for implementing crypto such as BouncyCastle, and others.

I like the idea of using the same API across my product set, rather than to use Certicom for Blackberry, .NET for the server-side, and BouncyCastle in the Java clients.

What should I take into consideration when I access Certicom and their ECC technology?

What claims are real versus marketing FUD? Since this is not my area of expertise, I think it will take me significantly more time to separate the wheat from the chaff.

It would help to narrow this and give references - Certicom has a lot of products. E.g. is there some particular Certicom ECC API or product which you want to compare to other ECC implementations? And do you really want discussion of the ways of doing comparisons? Or just cut to the results?
–
nealmcbApr 1 '11 at 18:40

What claims do you want to know about? What claims specifically have been made? Also, why do you want to use ECC? Why don't you want to use BouncyCastle, OpenSSL, or somesuch? The question is vague and it's a bit hard to tell how to answer helpfully.
–
D.W.Apr 3 '11 at 3:27

2 Answers
2

Certicom holds patents on certain primitives/protocols related to elliptic curve cryptography (MQV for example), which you will not be able to use from a freely distributable library. I can't enumerate everything they hold or if they are significant (textbook MQV is generally no longer used).

I have also heard, somewhat ironically, that they have the fastest RSA implementation and some companies use their libraries just for it. That may be an urban legend though.

In general, if you are going to use elliptic curve cryptography (which I recommend as it is fast), the Certicom library will be excellent but not irreplaceable. And for specialized purposes, there are probably faster EC implementations: e.g., NIST P-224 in OpenSSL, RELIC, Curve25519, etc.

If your priority is unity across platforms and you aren't doing heavy crypto, then using a general library instead of the Certicom one should be fine.

I don't see anything special about this library. All mobile platforms support OpenSSL or have some subset of the library incorporated into the platform. OpenSSL has the largest collection of primitives, it supports ECC and other forms of public key cryptography. OpenSSL is also the most widely distributed cryptography library, there are many eyes looking over the code to make sure that it is safe.